Jupyterhub integration with LDAP authentication ?

[Zhang Xiaoyu]

Hi, guys,

I look at the Jupyterhub integration with GITHUB OAuth. But for my use case, I really need to make it working with LDAP or open directory since I am trying to make it useful in a cooperation env. What I really want to implement is

1. authentication each user via LDAP or open directory

2. for each user's login, create a docker container for that user only so that different user doesn't crash each other. We really need user level isolation on shared box

I think part 2 is there as project "dockerspawner" suggested, but for part 1, seems it is not there. I look at, seems someone mentions I can do the custom authenticator https://github.com/jupyter/jupyterhub/blob/master/docs/authenticators.md

is this custom authenticator easy to implement a LDAP integration ? Or can anyone suggestion other direction?

Thanks,

Xiaoyu

[MinRK]

A custom LDAP Authenticator should be one of the simpler ones to write. Much simpler than GitHub OAuth. You may want to grab a Python LDAP API, then you just need to relay the username/password info you get from the authentication request to LDAP and return a username on successful auth.

-MinRK

 

Thanks,

Xiaoyu

--
You received this message because you are subscribed to the Google Groups "Project Jupyter" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jupyter+u...@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/9b3cc5f1-0fb8-42b0-b6fa-505e5cfb7ec0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Brendan Smithyman]

For purposes of the Docker container, it actually should be straightforward to just use Ubuntu's PAM LDAP integration. Something like this (run in the container) should work with an existing LDAP server:

export BASE="dc=bitsmithy,dc=net"

export URI="ldap://ldap.bitsmithy.net/"

apt-get update

apt-get -y install ldap-auth-client nscd

auth-client-config -t nss -p lac_ldap

cat > /usr/share/pam-configs/my_mkhomedir << END

Name: activate mkhomedir

Default: yes

Priority: 900

Session-Type: Additional

Session:

        required                        pam_mkhomedir.so umask=0022 skel=/etc/skel

END

cat >> /etc/ldap.conf << END

base $BASE

uri $URI

END

pam-auth-update

It doesn't help with the isolation issue (solved separately, I guess), but it should get you up and running w/o having to create users on the container one-by-one. Hope this helps.

Cheers,

Brendan

[Raminderjeet Singh]

I am running Jupyterhub using sudospawner (without docker). Can you share if you have configurations to do PAM/LDAP authentication? 

Thanks

Raminder

[Brendan Smithyman]

Hi Raminder,

I haven't tried sudospawner, but the configuration changes from the Docker container I made (https://hub.docker.com/r/bsmithyman/jupyterhub-ldap/) should work generally on Ubuntu. The source repository is on Github: https://github.com/bsmithyman/jupyterhub-ldap

This works with basic LDAP and secure LDAP without too much trouble; just requires some environment variables that are pulled in during the startup script.

If course, you could also use a Python LDAP library and write a custom authentication plugin, too... This just uses Ubuntu's PAM backend.

Hope this helps,
Brendan

--
You received this message because you are subscribed to a topic in the Google Groups "Project Jupyter" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jupyter/lvCIb1nYNYk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jupyter+u...@googlegroups.com.

To post to this group, send email to jup...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/8bc47549-2fea-499e-9d53-503e88a44067%40googlegroups.com.

[Yuvi Panda]

I too need to setup LDAP auth and can not use PAM for various reasons. I'll probably write an LDAP authenticator plugin next week if nobody else does by then

[Brendan Smithyman]

It’s definitely something I would be interested in; PAM is annoying. That being said, I’m afraid I’m swamped in the near future. Would be happy to test it, though.

Best,

Brendan

On Jan 9, 2016, at 12:32 PM, Yuvi Panda <yuvi...@gmail.com> wrote:

I too need to setup LDAP auth and can not use PAM for various reasons. I'll probably write an LDAP authenticator plugin next week if nobody else does by then

--
You received this message because you are subscribed to a topic in the Google Groups "Project Jupyter" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jupyter/lvCIb1nYNYk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jupyter+u...@googlegroups.com.
To post to this group, send email to jup...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jupyter/CAFw%3DySi33KyjzTH1RXjuYMJJ3%3DJ3ETH9%2BSFq1%2BE5%2B0jKxVGcpQ%40mail.gmail.com.

[Yuvi Panda]

I spent some time and knocked up a quick LDAP Authenticator plugin for
JupyterHub:

https://github.com/yuvipanda/ldapauthenticator

I've tested it with python3.4 and against our OpenLDAP server, so
further testing / issues welcome :)

As an aside, anyone know if this can/should be in the jupyter or
jupyter-incubator github organizations?

[Brian Novogradac]

Hello,

I'm trying to implement this on my jupyterhub instance as well.  Its authenticating to my AD but i have a specific group im trying to use and it is no filtering to that group so any user is loggin in.